internal PeHeaderReader(string filePath) { // Read in the DLL or EXE and get the timestamp using (var stream = new FileStream(filePath, FileMode.Open, FileAccess.Read)) { var reader = new BinaryReader(stream); _dosHeader = FromBinaryReader <ImageDosHeader>(reader); // Add 4 bytes to the offset stream.Seek(_dosHeader.ELfanew, SeekOrigin.Begin); var ntHeadersSignature = reader.ReadUInt32(); _fileHeader = FromBinaryReader <ImageFileHeader>(reader); if (Is32BitHeader) { _optionalHeader32 = FromBinaryReader <ImageOptionalHeader32>(reader); } else { _optionalHeader64 = FromBinaryReader <ImageOptionalHeader64>(reader); } _imageSectionHeaders = new ImageSectionHeader[_fileHeader.NumberOfSections]; for (var headerNo = 0; headerNo < _imageSectionHeaders.Length; ++headerNo) { _imageSectionHeaders[headerNo] = FromBinaryReader <ImageSectionHeader>(reader); } } }
public void Read(Stream input) { this.DosHeader = input.ReadStructure <ImageDosHeader>(); if (this.DosHeader.Magic != 0x5A4D) // MZ { throw new FormatException("dos header has bad magic"); } input.Seek(this.DosHeader.NewExeOffset, SeekOrigin.Begin); this.NTHeaders = input.ReadStructure <ImageNTHeaders32>(); if (this.NTHeaders.Signature != 0x4550 || this.NTHeaders.FileHeader.SizeOfOptionalHeader != 0xE0) // PE { throw new FormatException("nt header has bad signature"); } else if (this.NTHeaders.OptionalHeader.Magic != 0x10B) // IMAGE_NT_OPTIONAL_HDR32_MAGIC { throw new FormatException("optional header has bad magic"); } this.Sections = new List <ImageSectionHeader>(); for (int i = 0; i < this.NTHeaders.FileHeader.NumberOfSections; i++) { this.Sections.Add(input.ReadStructure <ImageSectionHeader>()); } }
/// <summary> /// Obtains a section from the given file information. /// </summary> /// <param name="rawData"></param> /// <param name="index"></param> /// <param name="dosHeader"></param> /// <param name="ntHeaders"></param> /// <returns></returns> public static ImageSectionHeader GetSection(byte[] rawData, int index, ImageDosHeader dosHeader, ImageNtHeaders32 ntHeaders) { var sectionSize = Marshal.SizeOf(typeof(ImageSectionHeader)); var optionalHeaderOffset = Marshal.OffsetOf(typeof(ImageNtHeaders32), "OptionalHeader").ToInt32(); var dataOffset = dosHeader.e_lfanew + optionalHeaderOffset + ntHeaders.FileHeader.SizeOfOptionalHeader; return(GetStructure <ImageSectionHeader>(rawData, dataOffset + (index * sectionSize))); }
internal static ImageDosHeader FromReadingContext(ReadingContext context) { var reader = context.Reader; var header = new ImageDosHeader { StartOffset = reader.Position, Magic = reader.ReadUInt16() }; reader.Position = 0x3C; header.Lfanew = reader.ReadUInt32(); return(header); }
public PeHeaderReader(RemoteProcess process, IntPtr moduleBase) : base(process, moduleBase) { DosHeader = new ImageDosHeader(process, moduleBase); NtHeader = new ImageNtHeader(process, moduleBase + (int)DosHeader.e_lfanew, Is64Bit); var numSections = (int)NtHeader.FileHeader.NumberOfSections; var secHeaderStart = DosHeader.e_lfanew + NtHeader.FileHeader.SizeOfOptionalHeader + 0x18; SectionHeaders = new ImageSectionHeaders(process, moduleBase + (int)secHeaderStart, numSections); var exportDirVa = NtHeader.OptionalHeader.DataDirectory[0].VirtualAddress; if (exportDirVa != 0) { ExportDirectory = new ImageExportDirectory(process, moduleBase + (int)exportDirVa); } }
public void ImageDosHeaderConstructorWorks_Test() { var idh = new ImageDosHeader(new BufferFile(RawStructures.RawDosHeader), 0); Assert.Equal((uint)0x1100, idh.E_magic); Assert.Equal((uint)0x3322, idh.E_cblp); Assert.Equal((uint)0x5544, idh.E_cp); Assert.Equal((uint)0x7766, idh.E_crlc); Assert.Equal((uint)0x9988, idh.E_cparhdr); Assert.Equal((uint)0xbbaa, idh.E_minalloc); Assert.Equal((uint)0xddcc, idh.E_maxalloc); Assert.Equal((uint)0x00ff, idh.E_ss); Assert.Equal((uint)0x2211, idh.E_sp); Assert.Equal((uint)0x4433, idh.E_csum); Assert.Equal((uint)0x6655, idh.E_ip); Assert.Equal((uint)0x8877, idh.E_cs); Assert.Equal((uint)0xaa99, idh.E_lfarlc); Assert.Equal((uint)0xccbb, idh.E_ovno); AssertEqual(new ushort[] { 0xeedd, 0x00ff, 0x2211, 0x4433 }, idh.E_res); Assert.Equal((uint)0x6655, idh.E_oemid); Assert.Equal((uint)0x8877, idh.E_oeminfo); AssertEqual(new ushort[] { 0xaa99, 0xccbb, 0xeedd, 0x11ff, 0x3322, 0x5544, 0x7766, 0x9988, 0xbbaa, 0xbbcc }, idh.E_res2); }
bool IBinaryConverter <ImageDosHeader> .Convert(ref ImageDosHeader s, uint startOffset, uint size) { Checksum = s.e_csum; Type = s.e_magic; NtHeaderAddress = s.e_lfanew; OemID = s.e_oemid; OemInfo = s.e_oeminfo; PagesCount = s.e_cp; StackPointer = s.e_sp; ReallocationCount = s.e_crlc; ReallocationHeaderAddress = s.e_lfarlc; MsDosStubProgram = startOffset + size; UpdateVirtualInfo(startOffset, size); if (IsExecutable) { UpdateFileInfo(GetSignature(s.e_magic), startOffset, size); } return(true); }
public PeHeaderParser(RemoteProcess process, IntPtr moduleBase) : base(process, moduleBase) { DosHeader = new ImageDosHeader(process, moduleBase); }
public ImageDosHeaderNode(HexDocument doc, ImageDosHeader dosHeader) : base((ulong)dosHeader.StartOffset, (ulong)dosHeader.EndOffset - 1) { this.imageDosHeaderVM = new ImageDosHeaderVM(this, doc, StartOffset); }
public ImageDosHeaderNode(HexBuffer buffer, ImageDosHeader dosHeader) : base(HexSpan.FromBounds((ulong)dosHeader.StartOffset, (ulong)dosHeader.EndOffset)) { imageDosHeaderVM = new ImageDosHeaderVM(this, buffer, Span.Start); }